Greetings from Brussels!
There was an interesting media update this week to the story surrounding Google and the allegations that they are secretly feeding personal data to advertisers.
The allegation originally stems from Brave, the maker of a niche privacy-focused internet browser. One needs to go back to the beginning of this story in 2018, when the Irish DPC received a complaint from Johnny Ryan, Braveâ€™s chief privacy officer, in association with the Open Rights Group and University College London. At the time, Ryan suggested that the Google Ad Exchange system was â€œleakingâ€� the personal data of users to more than 1,000 companies, all without the consent of users or any ability for them to act to prevent such a practice from happening. Notably the key argument of this complaint was, of course, the assertion that Google was not obtaining consent from users. And therefore, if the accusation is correct, then Google is at risk of being cited for a GDPR violation (see Article 5).
This, in turn, resulted in an investigation in May by the Irish DPC to determine whether Googleâ€™s online advertising exchange harvests sensitive personal information about internet users, such as their race, health, and political leanings. Fast forward to this week, and as reported by the Financial Times, Ryan submitted new evidence that purports Google is making use of hidden webpages that feed user personal data to adtech companies, which contravenes both its own privacy policies and EU privacy regulations that require consent and transparency.
In a nutshell, and more specifically, Ryan, in an attempt to monitor how his own data was being traded by Google, found that he had been tagged with an ID tracker that fed to third-party adtech companies logged into a hidden webpage, linked to his browsing history. In turn, this would allow those companies to match their given profiles of Ryan with his browsing behavior, which could ultimately lead to targeted and personalized advertising.Â
Where Google is concerned, they state through their notices that in sharing marketing data, it does so without identifying users personally to third parties. In other words, when a user lands on a webpage that uses Googleâ€™s RTB exchange platform (there are more than 8.4 million webpages that do so), a package of data that essentially summarizes online behavior â€” in vague fashion â€” is exchanged with potential advertisers whose automated systems bid to show an advertisement, which may match inferred interests.
Neither Google nor the Irish DPC have commented as yet on this latest revelation. Google has, however, reiterated its position: â€œWe do not serve personalized ads or send bid requests to bidders without user consent.â€� The Irish DPC stated at the launch of its initial investigation in May it would look at each stage of an ad transaction to ascertain if the ad exchange was processing in compliance with the GDPR, including looking at the lawful basis for processing, the principles of transparency, and data minimization and retention practices.
Multiple EU supervisory authorities are considering complaints of varying degrees around the practice of behavioral advertising and the adtech industry as a whole. What seems abundantly clear is that EU regulators have a lot more work to do with industry and must ensure that the GDPR is setting new norms and business standards. Industry at large, too, has a critical part to play in ensuring they hold up their end of the bargain to achieve a transparent and trusted online playing field.